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Abstract. We present a new fast proveable secure MAC called XMAC 
based on universal hashing. In the construction we use new families of 
universal hash functions which are especially well suited for tree-like 
hashing. Furthermore, we develop an effective tree-like hashing proce- 
dure. The proof of security is simple and easy to verify. The end result 
is a very effective MAC which is fast on both short and long messages 
achieving a peak performance of 2.2 clock cycles per byte on a Pentium 
III processor for a 64 bit tag with a forgery probability of 2~ . The 
design makes it fast on most platforms. 

Keywords: MAC, universal hash, tree, stream cipher, Rabbit 



1 Introduction 

A Message Authentication Code (MAC) provides a way to detect whether a mes- 
sage has been tampered with during transmission. The usual model for authen- 
tication includes three participants: a transmitter, a receiver and an °PP onen *- 
The transmitter communicates a message over an insecure channel m which the 
opponent has the ability to introduce new messages as well as altering an exist- 
ing message. Insertion of a new message by the opponent is called impersonation 
and modification of an existing message by the opponent is called substitution. 
In both cases the opponent's goal is to deceive the receiver into believing that 
the new message is authentic. 

In many applications, it is of significant importance that the receiver can 
verify the integrity of a message. In some cases this is even more important than 
encryption [1]. Often encryption and authentication are both required. With the 
emergence of fast software-based encryption algorithms like Rijndael [2J, SNOW 
[3] Rabbit [4] etc., the need for fast software-based message authentication codes 
is increasing. Some attempts have been made to construct an integrated MAC 
and encryption algorithm e.g. Helix [5]. However, such approaches make it hard 
to prove the security of the MAC part. Moreover, there exist constructions that 
can be proven secure with respect to an underlying cryptographic primitive. 
Prominent examples are HMAC [6] and the universal hashing approach [7J. 

The construction presented here is based on the universal hashing approach. 
Universal hashing was introduced in 1979 by Carter and Wegman [7]. A uni- 
versal hash function family is a set of functions fulfillmg certain combinatory 
properties. For example, a family is called c-universal if the probability of a col- 
lision in a randomly chosen function evaluated at two different points is no more 
than e. 



In 1981, Wegman and Carter suggested using universal hash functions for 
message authentication [8]. In their approach, a given message is hashed with 
a randomly chosen universal hash function whereafter the output is encrypted 
with a one-time-pad in order to obtain the MAG tag. Since the universal hash 
functions are only required to fulfill, in a cryptographical sense, a rather simple 
combinatoric property, they can usually be constructed to be very fast. Recent 
research has been successful in achieving impressive speeds. Noteable examples 
can be found in [9-13]. In particular, UMAC [12] which has been recommended 
in the NESSIE portfolio [14], has achieved speeds on a Pentium III processor 
of 1.8 clock cycles per byte 1 with forgery probability of 2" 60 for a 64-bit tag. 
However, for very short messages the performance is slower, e.g. 12.6 clock cycles 
per byte for a message length of 43 bytes with the same forgery probability. 

It is the aim of this paper to construct a Wegman-Carter based MAC which 
is fast on both short and long messages. The performance on short messages is 
important as the MAC function used in IPSec operates on 43-1500 bytes [15] 
and the MAC function used in TLS operates on 0-17 kilobytes. In addition, the 
setup procedure must be simple and fast, as the number of messages and amount 
of data processed per setup is small in many applications, e.g. TLS. Finally, the 
MAC is required to have verifiable-selectable assurance 2 . 

In order to achieve high performance, we introduce new families of universal 
hash functions especially well suited for tree-like hashing. These are obtained 
by reducing ^-universal hash families to universal hash families. This results in 
significant performance gains for small compressions. Furthermore, we develop 
an effective tree-like hashing procedure which basically consists of combining a 
tree hash with a linear hash. The construction is provable secure (relative to a 
cryptographic primitive) with relatively simple proofs. 

The paper is organized as follows. In section 2 we present the Definitions 
of the different classes of universal hash families and composition theorems. In 
section 3 we introduce a simple method to reduce delta-universal hash families 
to universal hash families. A modification to the simple tree hashing scheme is 
presented in section 4. Section 5 contains the specification of XMAC and the 
performance results are presented in section 6. We conclude in section 7. 



2 Universal Hashing and Message Authentication 



As mentioned above, Wegman and Carter [8] discovered that it is possible to use 
the notion of a randomly chosen strongly (see below) universal hash function to 

i A Id-bit version of UMAC optimized for Pentium III SIMD technology has better 
performance. A similar modified version of XMAC using 16-bit multiplications could 
also gain a significant performance boost on the Pentium III processor. 

3 For a more detailed description of verifiable-selectable assurance, see [12]. In short, 
this means that the receiver can verify to lower assurance levels than for the full tag 
in order to increase performance. 



compress a given message and encrypting it using a one-time-pad . We describe 
briefly in the following why this is possible. 

Let us first list well-known Definitions of universal hashing. 

Definition 1 An €-almost-universal (e-A U) family H of hash functions maps 
from a set A to a set B, such that for any distinct elements x,x* € A: 

iW(M») = h k (x')) < e (1) 

H is universal (U) ife = 1/|£|. 

Universal hash families were first defined by Carter and Wegman in 1979 [7J. 
e-AU hash families were defined by Stinson in 1991 [16]. 



Definition 2 An e-almost-A-universal (e-AAU) family H of hash functions 
maps from a set A to a set B, such that for any distinct elements z,x' e A 
and for all a e B: 

Ph k eH(h k (x) - ft fc (x') = O) < 6 (2) 
H is A-universal (A U)ife= 1/\B\. 

c-AAXJ is a generalization of the e-Almost-Xor-Universai (e-AXU) family of hash 
functions defined by Krawczyk in 1994 [17] to arbitrary abelian groups and was 
given by Stinson in 1996 [18]. 



Definition 3 An e-almost-strongly-universal (e-ASU) family H of hash func- 
tions maps from a set A to a set B, such that for any distinct elements x, x' € A 
and all a, b € B: 

AwhCM*) = a) = W 

and 

Ph h eH{hk(x) = a. M*') = *) < ( 4 ) 
H is strongly universal (SU) ife = \/\B\. 

SU hash families were first defined by Wegman and Carter in 1981 [8]. The con- 
cept of 6-ASU hash families was introduced in [8], and was later formalized by 
Stinson in 1991 [16], 

Moreover, hash families can be combined in order to obtain new hash fam- 
ilies. The below composition theorems (see [19]) describe what happens to the 
resulting e, domains and ranges. 



3 Of course, a cryptographic primitive like a stream cipher can also be used to generate 
a pseudo-random key, but then the security depends on the security of the primitive. 



Composition 1: If there exists an ei-AU family H x of hash functions from A 
to B and an e 2 -AU family H 2 of hash functions from B to C, then there ex- 
ists an e-AU family H of hash functions from A to C, where H = H x x JT 2? 
\H\ = \Hi\ • 113*21, and e = €i + c 2 ~ ei€ 2 < ei + e 2 . 

Composition 2: If there exists an ei-AU family Hi of hash functions from A 
to B and an c 2 -ASU family if 2 of hash functions from B to C, then there ex- 
ists an e-ASU family H of hash functions from A to C, where H = Hi x H 2 , 
\H\ - • |H 2 |, and € = ei + e 2 - £ie 2 < d + e 2 . 

From the Definitions it follows that strongly universal hashing can be used 
for message authentication. If we denote the probability for an impersonation 
attack to succeed by Pi and the probability for a substitution attack to succeed 
by P a , we have the following Theorem(see for instance [8, 19,20]): 
Theorem 1 There exists an e-ASU family of hash Junctions from A to B if and 
only if there exists an authentication code with \A\ messages, \B\ authenticators 
and k « \H\ keys, such that Pi = l/\B\ and P a < e. 

A similar version for €-AXU families has been proven by Krawczyk [17]. The 
particular Wegman-Carter MAC can be defined as: 

Definition 4 Given an e-ASU family H of hash Junctions mapping from a set 
A to a set B, a nonce, n, and a random pad /(n), then the Wegman-Carter 
MAC is 

MACwc(M ; fc, /(n)} = h k (M) © /(n), (5) 
where k is the random hash function key and M is the message. 
A new nonce must be used for each application of the MAC to ensure the un- 
conditional security of the construction 

In the next section we will describe a method to reduce delta-universal hash 
functions to universal hash functions. It turns out that these new universal hash 
families are particularly well-suited for tree structures. 

3 Reducing Delta-Universal Hash Functions to Universal 
Hash Functions 

As seen above there are different classes of universal hash functions, e.g. strongly 
universal, almost strongly universal, delta-universal, almost delta-universal and 
so on. The latter are contained in the former. Furthermore, it is possible to 
convert classes into other classes. For example, it is possible to convert a delta- 
universal hash family into a strongly-universal hash family [11]. 

For our construction we convert the ^-universal hash family, MMff*, pro- 
posed by Halevi and Krawczyk [13] into a strongly universal hash family. This 
is accomplished by adding an additional key, in the following way: 

n 

MMHfc(M) = (£) mifei) + hn+{ mod p, (6) 



where p is a prime number, M = mi||...||mn and mu fa € {°» —*P - !}• j 
. In some cases it is also beneficial to do the opposite, i.e. to reduce a stronger j 
family into a weaker family. This is, of course, only relevant when a performance j 
gain can be achieved. This is illustrated in the following. 

Theorem 2 Let H A be an e-almost-delta-universal hash family from a set A to 
a set B. Furthermore, consider an additional part of message m b € B. Then the 
family consisting of the functions h k {m>m b ) = h£{m) + m b is e-almost-universal 
for equal length messages. 

Proof Prom the Definitions above we have for m^m'x 

Pr[Mm, m b ) - h k {m', m' h ) = 0] - Pr[fc£ (m) + m b - fcf (m') - m f b = 0] (7) 

or 

Pr[/if (m) - /if (m') = w! b - m b s 6] < e, (8) 

since J9T* is an c-ahnost-delta-universal family. The case when m = m' but 
m6 # mj, is trivial ■ 

A very fast universal hash family is the NH family used in UMAG [12]. It 
was proposed in [21] based on a previous construction by Wegman and Carter: 

1/2 

NH K {M) = j2(k 2i -i +«, m 2 i-i) • (*2i +w tn 2i ) mod 2 2w , (9) 

where HV- means 'addition modulus 2 W \ and m^kn € {0,...,2 W - 1}- It is an 
2- to -almosfc-delta-umversal hash family. In [12] only the universal property is 
explicitly proven. 

Corrolar 1 The following version of NH: \ 

» 

NH K (m) = (A* +«, mi) • (k 2 + w m 2 ) mod 2 2 ™ , (10) 
is -almost- A-universal for equal length messages. 

Proof This proof is just a slight modification of the one presented in [12]. We 
must show that 

Pr[(*! -f mi)(fe 2 + m 2 ) - (*i + rn[)(k 2 + m 2 ) = 6\ < 2~ w , (11) 

as in [12] all arithmetics is carried out in Z/2* w . We assume that m 2 ^ m' 2 - 
Define c = k 2 + m 2 and d = fc 2 + ™2- B Y assumption it follows that c ^ c\ So 

we have _ - 

Pr[(fci + mi)c - (fei + m'{)J - 5 = 0] < 2—. (12) 

since from lemma 1 in [21] the equality will only be satisfied by one fci ■ 



! 
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According to Theorem2, this family can be reduced to an c-almost-universal 
hash family: 

f(mi , m 2) m 3 , m 4l k u fc) = (mi +32 ki){m 2 +32 k 2 ) +64 ™s +64 2 32 m 4> (13) 
where all arguments are 32-bit and the output is 64-bit. The collision bound is 

The question is if this construction is useful and if so how can it be used 
most effectively? The construction is useful when the domain \A\ is not much 
larger than the range, |B|, but useless when |A| > |J3|- 

Thus, if relatively short messages are hashed for each key, the extra block 
results in a significant performance gain. This is the subject of the next section. 

4 The Modified Tree Construction 

An immediate use of the above defined hash family is in a tree-like construction. 
As an example of a tree construction we assume that the message length can be 
written as |M| = o-2 n where b is some given block length. We also assume that a 
"two-to-one" universal hash family is given, i.e. a member of H takes a bitstrmg 
of length 26 and hashes it to a string of length 6. Then we can construct a new 
universal hash family taking strings of the length \M\ and hashing it to strings 
of length b by the well-known tree-construction. The depth of the tree will be n 
Clearly such a tree construction is the same as successively applying n parallel 
hashes. We define the parallel hash family [22] as follows: 

Definition 5 Given a message M = mi||...||m c ~ with length |M| = bc\ we 
hash c blocks at a time with a universal hash Junction, h k G H taking fec J*k *° 
b bits and concatenate the results. The result is a string with length bcT . We 
denote the hash family by H par and a member by h v ™. 

hl ar {M) = h k {m u ...,m c )||...||Mm c «_ c+ i, ( u ) 

It is easy to see that if H has a collision bound of e then so does the parallel 
hash, H par . We define the usual tree construction as follows: 



Definition 6 Let a message M be given with length \M\ = bc n for any integer 
n. We define a new hash family by applying fc£ r n times, each Ume with a new 
random fc*. We denote the family by H* ec and a member by: 

■ h^(M) = hZ o hZ. x o ... o h%*{M). (15) 
We say that the tree has n levels. 

Theorem 3 The above defined family, i?< rce , is a 1 - (1 - e) n -universal family 
of hash functions for equal length messages. 




ktSz 




Fig. 1. Figure (a) illustrates the traditional tree construction using the Pf^ 1 h ^ 
and figure (b) illustrates the modified tree construction, using the modified parallel 
hash. 



Proof. Let us define £i as the collision bound for if$5 c , then we have for H i+ % k „'. 

Pr[hlZAh%?(rn)) ~ k&Q^W) - <fl * «d - e > + € ' < 16) 



Solving the recurrence we get: 

(1 - «)*^ 1 € + cX)(l - €)* +e = 1 - (1 - e) n < ne I 



(17) 



The hash family defined by Eq. 13 is very well suited for binary tree con- 
structions. However, in such a tree the message lengths must be the block length 
times a power of two. An immediate generalization would be to do as suggested 
by Wegman and Carter [8]. They suggest breaking the message into substrings 
of length 2b and if necessary pad the last substring with zeroes. The resulting 
string is hashed with the parallel hash. If necessary, the resulting string is again 
padded with zeroes. This is repeated until the resulting string has length b. 

This procedure is not always optimal as illustrated in Fig. la. The reason 
being that for most message lengths, e.g. message lengths not equal to a power 
of two, extra applications of the universal hash function are needed. Of course, 
this is only significant for short messages. We propose the construction below. 
First we define a modified parallel hash: 

Definition 7 Given a universal hash family, H, taking be bits to b bits with 
members, h k , consider the message M, where \M\ is a mvltiple of the Mock sue 

6, t.e. M = mUMKz ««* \M\ = De fi ne r * = q mod °' 1hm modlfied 
parallel hash can be defined as: 

ti£ par (M) = 

f h k (m u m e )||...||**(m«-e+ii -i if r * = 0 (18) 
\h k (m Xi ... t mc)||...||Afc(m fl _c-r e +i, m fl -rc)II^-rc+ill"ll»n, if r c ^ 0 
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Property 1 The modified parallel hash is e-almost universal on equal length 
messages. 

Proof. In the first case, where g is a multiple of c we simply have a parallel hash 
and the bound on the collision probability is e. In the case where q is not a 
multiple of c, there are two possible situations. Either the difference in the mes- 
sages M and M' is in the part, which is processed by h h , or in the part which 
is not processed, but simply concatenated to the result. In the first situation 
the bound on the collision probability is e. In the second situation the collision 
probability is trivially zero. Therefore, the bound for the collision probability of 
the modified parallel hash is € mpor = max(€, 0) = e ■ 

It is straightforward to define a modified tree hash, i.e. define it as in Defi- 
nition 6 but use the modified parallel hash instead of the usual parallel hash. 

Corrolar 2 Given a message with length \M\ - b(c n ~ l + r) where 0 < r < 
c n - c n ~ x the modified tree hash defines a 1 - (1 - e) n -almost universal family 

of hash Junctions on equal length messages. j 

Proof. This follows from Theorem^ when the usual parallel hash is replaced j 
by the modified parallel hash, since both are e-almost universal, and that the j 
number of levels are the same in both cases 4 * 

As an example consider the case when c = 2. The message is divided into 
blocks of size b. If the message length is not a multiple of 6, zeros are appended to 
the message such that the length becomes a multiple of b. If the length hereafter 
is a multiple of 2b, the hash function is applied to each block and the results are 
concatenated. If the length is an odd multiple of 6, the hash function is applied to 
each block except the last block. The results and the last block are concatenated. 
The procedure is repeated until the size of the result is b. The construction is 

illustrated in Fig. lb. m . 

Note that the construction can alternatively be defined in the following way 
(we use the binary case as an example): Let the message length be given by 
\M I a b a i 2 i where ai € {0, 1}. To each term, a&\ in the sum, corresponds 
to a tree with i levels. We order these trees according to size with the largest tree 
first More precisely, we use the tree hash for each group of data corresponding 
to a term in the sum, concatenate the result, and linearly hash it backwards, 
i e. take the M>it block as output from the last tree and hash it with the result 
of the second to last tree and so on, until only one 6-bit string is left. In ^ other j 
words, the construction consists of a series of concatenated tree hashes followed j 
by a linear hash [22]. Bbr the example in Fig. lb the message length can be j 
written as: \M\ = o(2 3 +2 1 +2°). There is one tree with 3 levels, one with 1 level 

* In a Wegman-Carter binary tree hash, a message consisting of an odd number of 
blocks is padded up such that the number of blocks is even. This is done after each 
application of the parallel hash. The number of levels is equal to the number of levels 
of a message of the nearest larger power of two. Now it is easy to convince oneself 
that the number of levels of the modified tree hash is exactly the same. 
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and one with 0 levels. The hash results of those trees are then linearly hashed 
starting with the result from the smallest tree. 

The above construction is only almost-universal for equal length messages. 
To ensure universality for different length messages we simply concatenate the 
length of the given message in a fixed z-bit format [12, 22]: 

Definition 8 Fix z > 0 and let the message, M, have any length less than 2*. 
Define L x = \M\ to be the z-bit representation of the length and define H* as 

the family: ti , in v 

h%{M) = h k (M)\\L x . ( 19 ) 

We then have the following property: 

Property 2 The hash Junction family H* is 1 - (1 - e) n -almost universal 

Proof In the case \M\ ^ |M'|, the collision probability is trivially zero. In the 
case |M| = \M% the collision probability is defined according to Corrolar 2 by 
the number of levels necessary to compress the message ■ 

In order to use our universal hash function in a MAC, according to Theoreml 
we need to apply a strongly universal hash function to the output of ft J, i.e. 
h%F{h%(M)). This strongly universal hash function maps an input of size b + z 
bits to an output of a size appropriate for the collision probability. 

Theorem 4 The hash function family consisting of the members h%V{h* k {M)) 
is e tr< . e + (1 - etr ec )esu -almost-strongly universal 

Proof. According to composition 2. ■ 

Finally, it is easily seen that the amount of key material, iV M Ac(M), needed 
for a given message M is given by 

i^MAc(M) = Nuceil{\og c {\M\/{b))] -h N S u> ( 20 ) 

where N v is the amount of key material needed for the basic almost-universal 
hash function in the tree and JV 5 e/ is the amount of key material needed for 
the strongly-universal hash function used in the end. Note that the amount of 
needed key material is the same as for the usual tree MAC. 
In the next section we explicitly specify XMAC. 



5 The XMAC Specification 

A schematic pseudo-code of XMAC is presented in the box below. Below we 
shortly describe the different steps of the algorithm. 

To generate the key material for use in the universal hash functions, any 
secure pseudo-random generator is applicable. In this algorithm we will use the 
stream cipher Rabbit [4], which is seeded with a 128-bit key. We define the 



maximal length of a message to be 2 64 bits, requiring maximally 58 levels in the 
tree and, hence, 58 64-bit keys. Furthermore, 6 keys belonging to the interval 
{0, ...,2 31 - 2} need to be generated for the strongly universal hash function. 

' To process the message, it is divided into 64-bit blocks, and padded with 
zeroes if necessary. The message is then processed with the hash function de- 
fined in eq. (13), fcfomuma), where k t m U Tm € {O,...^ 64 - 1}, in a modified 
binary tree construction as defined in Definition 7 and the text below, until the 
message is compressed to 64 bits. The length of the message measured in bits is 
represented as a 64-bit number and concatenated to the 64-bit result. 

The resulting 12&-bit block is appended with 22 zeroes and divided into five 
30-bit blocks and hashed with the strongly universal version of the hash family 
MMH* defined in Eq. 6. The prime field is chosen to be {0, ...,2 31 -2} to ensure 
simple overflow handling and modulus calculation in 32-bit implementations. 

The final tag is generated by XOR'ing the output of the hash function with 
a pseudorandom pad, according to Definition 4. To generate the pseudo-random 
pad we use the IV-setup function of Rabbit with a nonce as initialization vector. 
The size of the output from the hash function is in principle 31 bits. However, 
we encrypt the output with a pseudorandom pad of size 32 bits, to make the tag 
match the 32-bit register size. 



Function ft(fc,mi,m2) 
1. return (mi +32 k) ■ ((mi » 32) +32 (fc » 32)) + M m 2 

Function XM AC nonce) 

1. Generate 64-bit keys: Rabbit k = Hfos 

2. Generate keys € {0, ...,2 31 - 2}: Rabbittc = fcril-lW 

3. L « |Af I 

4. while \M\ mod 64 ^ 0 do: M « M||0 

5. for i ~ 1 to i = ceil[log 2 (L/Q4)] do: 

f if t is even, return /i(fei,mi,ma)||.-.||M**» TO *-i' TO *) 
M ~ \if t is odd, return /i(^» T7l i» m 2)||...||/i(fci,T»t-.2,m4-.i)|imt 

6. Append to M the 64-bit message length £, Q = M\\L 

7 Divide Q into 30-bit blocks and append 22 zeroes, Q = «i||.»||*ft||0||— 1|0 

s*. s - (ELi *tf") + *F *» od 231 - x « 

9. return S © Rabbit K (nonce) 



The forgery probability depends on the number of levels in the tree, the bound 
on the collision probability for each level in the tree is c h = 2~ 32 . For the 
strongly universal hash family we have e S u - l/(2 31 - 1) « 2~ 31 . The maximal 
number of levels in the tree for a 2 64 bit message is 58. Using composition 2 
and Theorem 3 the forgery probability is: e < e S U + (1 - esc/)(l - (1 - ^h) n ) « 

2-31 + (1 _ 2 -31 )(l _ (1 _ 2-32)58) « 2-26.09. 



A forgery probability of 2- 26 09 is insufficient for most applications. However, 
a simple method to reduce the forgery probability is to hash the message y times 
with independent keys and concatenate the results. This method results m a 
forgery probability of 2~ 26 To obtain 128-bit security we need to hash the 
message 5 times yielding a probability of 2'^ and a tag size of 160 bite. In 
particular, this leads to the verifiable-selective assurance as each 32-bit tag can 
be verified independently. 

6 Performance 

We measured the performance of the algorithm specified above on a 1000 MHz 
Pentium HI processor. The speed-optimized version was programmed in ^ assem- 
bly language inlined in C and compiled using the Intel C++ 7.0 compiler. All 
performance results in this section are based on generating a 2 • 32 bit tag. 

In Table 1 the performance results are presented for two cases. The first case 
is where the pseudo-random pad is generated by the Rabbit stream cipher after 
being re-initialized by the IV Setup function, with the nonce as initialization 
vector. The second case is where the pseudo-random pad is generated by contin- 
uing the extraction of pseudo-random data from the Rabbit stream cipher. This 
eliminates the need to perform the rather expensive IV-setup t but is only useful 
when messages are guaranteed to be received in the same order as generated 
This situation corresponds to interpreting the nonce as an iteration number or 
the stream cipher. However, in most applications the IV-setup is necessary, as 
for example in IPSec communication. 

Since, the key material in XMAC depends on the length of the message, op- 
timized versions can be used in applications where the message length is upper 
bounded. For example, in typical IPSec applications, the message length can- 
not exceed 1500 bytes and when authenticating TLS [23] protected data, each 
message cannot exceed 17 kilobytes. Furthermore, the strongly universal hash 
function is simplified since parts of the input is zero, see eq. (6). The properties 
of XMAC when the message length is limited is shown in Table 2. 

The performance of XMAC and UMAC is illustrated in Fig. 6 . Without the 
IV-setup XMAC is about a factor of 4 faster than UMAC for very shor messages 
and with the IV-setup the performance on short messages is about ™e same. 
On long message the speed is still remarkable, and almost the same as UMAU 

Table 1. Performance results with and without IV-setup. "Key setup" includes gener- 
ating all keys for the and SU hash functions, "Universal hash" inchute £™^S 
the tree, and "Finalization" includes the SU hash function and generating the pseudo- 
random pad. 



Function 


IV-setup 


Without IV-setup 


Key setup 


4372 cycles 


4372 cycles 


Universal hash 


2.2 cycles/byte 


2.2 cycles/ byte 


Penalization 


500 cycles 


150 cycles 



-« f r T S 
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Tkble 2 XMAC properties for various limited message lengths. "Memory req." denotes 
the amount of memory required to store the internal state including key mater^ 
temporary results and an instance of the Rabbit stream cipher. "Fin.no IV denotes 
finalization without IV-setup and "Fin. IV" denotes finalization with IV-setup. 

Fin. IV 



Max message alro 



2 XX bytes (e.g. IPSec) 
15 bytes (e.g. TLS) 



2 s * bytes 



2*** bytes 



F=5T 



Memory req. 



364 bytes 



492 bytes_ 



1044 bytes 



1980 bytes 



Setup 



1108 cycles 



1364 cycles 



2484 cycles 



4372 cycles 



Fin. No IV 



126 cycles 



126 cycles 



138 cycles 
150 cycles 



476 cycles 
476 cycles 



488 cycles 
500 cycles 



However, the forgery probabilities are a little better for UMAC. Note also that 
XMAC is still not fully optimized. 





XMAC IV 

XMAC no IV ' 

.... UMAC 


■ 1 • > » — — — 



Pig. 2. The performance of UMAC and XMAC as a function of message length. 



7 Conclusions 



We presented a MAC called XMAC bas ed on universal hashing. We introduced 
new families of universal hash functions especially well suited for tree-like hash- 
ing These were obtained by reducing ^-universal hash families to universal 
hash families. Furthermore, we developed an effective tree-like hashing proce- 
dure which consists basically of combining a tree hash with a linear hash. The 
proof of security is simple and easily veriHable. XMAC is both fast on short and 
long messages achieving a peak performance of 2.2 cycles per byte on a Pentium 
mtrocessor with a forgery probability of 2~ 52 for a 64-bit tag. The necessary 
key material for the hash functions is only 976 bytes, making the setup very fast 
The design makes it fast on most platforms, and especially well suited for small 
32-bit processors, due to the small memory requirements. 



8 Claims 

1. A method for generating a cryptographically secure checksum (also called 
MAG or tag) of a digital message to be used for authenticating the mes- 
sage. The method comprising dividing the message into blocks of a certain 
size, which are combined using a compression method to obtain fewer blocks. 

2 A method according to claim 1 where the process of compression is repeated 
a number of times so as to end up with 1 or more blocks being the checksum 
or to be used for calculating the checksum. 

9 

3 A method according to claim 1 and 2 where the compression method used to 
compress two input blocks (mi and m 2 ) into one output block {h{k, mi,™*)) 
given a cryptographic key (fc) is 

h{k, mu m 2 ) - (mi +32 *) • ((mi » 32) +32 {h » 32)) +64 m 2 (21) 
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